mailserver: Disable requesting DSN over SMTP

This still allows requesting a DSN over submission, so trusted clients are not affected. It only affects sending DSN to other systems, which now no longer takes place. This is done to avoid leaking rspamd internals.
mailserver: Extend Received header with TLS info
2024-02-03 01:07:49 +01:00 · 2024-02-03 00:12:05 +01:00 · 2024-02-02 12:30:29 +01:00
2 changed files with 2 additions and 0 deletions
--- a/machines/vueko/secrets/mail-users.nix
+++ b/machines/vueko/secrets/mail-users.nix
--- a/modules/mailserver/postfix.nix
+++ b/modules/mailserver/postfix.nix
@ -95,6 +95,7 @@ lib.mkIf cfg.enable {
      smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
      smtpd_tls_mandatory_ciphers = "medium";
      smtpd_tls_loglevel = "1";
+      smtpd_tls_received_header = "yes"; # add TLS connection details to Received header

      tls_medium_cipherlist = listToString [
        "ECDHE-ECDSA-AES128-GCM-SHA256"
@ -140,6 +141,7 @@ lib.mkIf cfg.enable {
      # Postscreen
      smtpd = {
        type = "pass";
+        args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
      };
      smtp_inet = {
        # Partially overrides upstream
Author	SHA1	Message	Date
Simon Bruder	44ce57413f	mailserver: Disable requesting DSN over SMTP This still allows requesting a DSN over submission, so trusted clients are not affected. It only affects sending DSN to other systems, which now no longer takes place. This is done to avoid leaking rspamd internals.	2024-02-03 01:07:49 +01:00
Simon Bruder	c944812a68	mailserver: Extend Received header with TLS info	2024-02-03 00:12:05 +01:00
Simon Bruder	0e870e7188	vueko/mail: Add alias	2024-02-02 12:30:29 +01:00